Everbrent/cis
8
0
Fork 0
mirror of https://github.com/m8tin/cis.git synced 2026-04-02 19:01:30 +02:00
Code Issues Packages Projects Releases Wiki Activity

Restrict ssh access to memebers of group ssh_login

Browse Source
This commit is contained in:
m8in
2026-03-03 22:19:27 +01:00
parent 88acbffbd0
commit abcb324283
4 changed files with 61 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/addAndCheckGitRepository.sh
View File

@@ -38,7 +38,7 @@ function cloneOrPull {
&& return 0 && return 0
! [ -d "${_FOLDER}/.git" ] \ ! [ -d "${_FOLDER}/.git" ] \
&& git clone "${_REPOSITORY}" "${_FOLDER}" &> /dev/null \ && GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new" git clone "${_REPOSITORY}" "${_FOLDER}" &> /dev/null \
&& return 0 && return 0
echo "FAIL: The local repository is not updatable: ("$(readlink -f ${0})")" >&2 echo "FAIL: The local repository is not updatable: ("$(readlink -f ${0})")" >&2

10
core/default/etc/ssh/sshd_config.d/AccessRestriction.conf Normal file
View File

@@ -0,0 +1,10 @@
# Allows user 'root' to use ssh always.
# This should prevent lockout because access is allowed without group membership.
# For details see: https://serverfault.com/questions/617081/how-to-use-both-allowgroups-and-allowusers-in-sshd-config
AllowUsers root
# 1. Create custom group 'ssh_login' of type system if not exist:
# - addgroup --system "ssh_login"
# 2. Additionally allow users of group 'ssh_login' to use ssh only:
# - adduser "${USER}" "ssh_login"
Match group ssh_login
AllowUsers *

49
core/defineAuthorizedKeysOfUser.sh
View File

@@ -10,6 +10,11 @@ function prepareFolder() {
_USER="${_HOME_FOLDER##*/}" #Removes longest matching pattern '*/' from the begin _USER="${_HOME_FOLDER##*/}" #Removes longest matching pattern '*/' from the begin
readonly _HOME_FOLDER _SSH_FOLDER _USER readonly _HOME_FOLDER _SSH_FOLDER _USER
! id "${_USER}" &> /dev/null \
&& echo "FAIL: The given user does not exist: ("$(readlink -f ${0})")" \
&& echo " - '${_USER}'" \
&& return 1
! [ -d "${_HOME_FOLDER}" ] \ ! [ -d "${_HOME_FOLDER}" ] \
&& echo "FAIL: The home folder is unavailable: ("$(readlink -f ${0})")" \ && echo "FAIL: The home folder is unavailable: ("$(readlink -f ${0})")" \
&& echo " - '${_HOME_FOLDER}'" \ && echo " - '${_HOME_FOLDER}'" \
@@ -50,6 +55,40 @@ function prepareFolder() {
return 1 return 1
} }
function ensureGroupMembership() {
local _SSH_GROUP _USER
_SSH_GROUP="ssh_login"
_USER="${1:?"ensureGroupMembership(): Missing first parameter USER"}"
readonly _SSH_GROUP _USER
! id "${_USER}" &> /dev/null \
&& echo "FAIL: The given user does not exist: ("$(readlink -f ${0})")" \
&& echo " - '${_USER}'" \
&& return 1
! getent group | cut -d: -f1 | grep -qF "${_SSH_GROUP}" \
&& addgroup --system --quiet "${_SSH_GROUP}" \
&& adduser --quiet "${_USER}" "${_SSH_GROUP}" \
&& echo "SUCCESS: Group was created and user was added: ("$(readlink -f ${0})")" \
&& echo " - Group: '${_SSH_GROUP}'" \
&& echo " - User: '${_USER}'" \
&& return 0
# Ensure the group exists then add user
getent group | cut -d: -f1 | grep -qF "${_SSH_GROUP}" \
&& adduser --quiet "${_USER}" "${_SSH_GROUP}" \
&& echo "SUCCESS: Group already exists and user was added: ("$(readlink -f ${0})")" \
&& echo " - Group: '${_SSH_GROUP}'" \
&& echo " - User: '${_USER}'" \
&& return 0
echo "FAIL: The user could not be added to the group: ("$(readlink -f ${0})")" >&2
echo " - Group: '${_SSH_GROUP}'" >&2
echo " - User: '${_USER}'" >&2
echo " - due to an error or insufficient rights." >&2
return 1
}
function defineAuthorizedKeysOfUser() { function defineAuthorizedKeysOfUser() {
local _CIS_ROOT _CORE_SCRIPTS _DOMAIN _DEFINITIONS _USER local _CIS_ROOT _CORE_SCRIPTS _DOMAIN _DEFINITIONS _USER
_DEFINITIONS="$(realpath -s "${1:?"Missing first parameter DEFINITIONS: 'ROOT/definitions/DOMAIN'"}")" _DEFINITIONS="$(realpath -s "${1:?"Missing first parameter DEFINITIONS: 'ROOT/definitions/DOMAIN'"}")"
@@ -67,13 +106,19 @@ function defineAuthorizedKeysOfUser() {
root) root)
prepareFolder "/root/.ssh" \ prepareFolder "/root/.ssh" \
&& echo \ && echo \
&& source "${_CORE_SCRIPTS:?"Missing CORE_SCRIPTS"}ensureUsageOfDefinitions.sh" "${_DEFINITIONS}" "/root/.ssh/authorized_keys" \ && "${_CORE_SCRIPTS:?"Missing CORE_SCRIPTS"}ensureUsageOfDefinitions.sh" "${_DEFINITIONS}" "/root/.ssh/authorized_keys" \
&& echo \
&& "${_CORE_SCRIPTS:?"Missing CORE_SCRIPTS"}ensureUsageOfDefinitions.sh" "${_DEFINITIONS}" "/etc/ssh/sshd_config.d/AccessRestriction.conf" \
&& return 0 || return 1 && return 0 || return 1
;; ;;
*) *)
prepareFolder "/home/${_USER}/.ssh" \ prepareFolder "/home/${_USER}/.ssh" \
&& echo \ && echo \
&& source "${_CORE_SCRIPTS:?"Missing CORE_SCRIPTS"}ensureUsageOfDefinitions.sh" "${_DEFINITIONS}" "/home/${_USER}/.ssh/authorized_keys" \ && ensureGroupMembership "${_USER}" \
&& echo \
&& "${_CORE_SCRIPTS:?"Missing CORE_SCRIPTS"}ensureUsageOfDefinitions.sh" "${_DEFINITIONS}" "/home/${_USER}/.ssh/authorized_keys" \
&& echo \
&& "${_CORE_SCRIPTS:?"Missing CORE_SCRIPTS"}ensureUsageOfDefinitions.sh" "${_DEFINITIONS}" "/etc/ssh/sshd_config.d/AccessRestriction.conf" \
&& return 0 || return 1 && return 0 || return 1
;; ;;
esac esac

3
core/ensureUsageOfDefinitions.sh
View File

@@ -15,6 +15,9 @@ function isCoreDefinition() {
echo "${1:?"Missing first parameter FILE"}" | grep -F '/root/.ssh/authorized_keys' &> /dev/null \ echo "${1:?"Missing first parameter FILE"}" | grep -F '/root/.ssh/authorized_keys' &> /dev/null \
&& return 0 && return 0
echo "${1:?"Missing first parameter FILE"}" | grep -F '/etc/ssh/sshd_config.d/AccessRestriction.conf' &> /dev/null \
&& return 0
echo "${1:?"Missing first parameter FILE"}" | grep -F '/home/jenkins/.ssh/authorized_keys' &> /dev/null \ echo "${1:?"Missing first parameter FILE"}" | grep -F '/home/jenkins/.ssh/authorized_keys' &> /dev/null \
&& return 0 && return 0